github.com/google/osv-scalibr@v0.4.1/veles/secrets/gcpsak/validator.go

github.com/google/osv-scalibr@v0.4.1/veles/secrets/gcpsak/validator.go (about)

     1  // Copyright 2025 Google LLC
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package gcpsak
    16  
    17  import (
    18  	"context"
    19  	"encoding/json"
    20  	"fmt"
    21  	"net/http"
    22  	"net/url"
    23  
    24  	"github.com/google/osv-scalibr/veles"
    25  )
    26  
    27  const (
    28  	defaultUniverse = "www.googleapis.com"
    29  )
    30  
    31  var _ veles.Validator[GCPSAK] = &Validator{}
    32  
    33  // Validator is a Veles Validator for GCP service account keys.
    34  // It uses GCP's robot metadata HTTP endpoint to try and fetch the public
    35  // certificate for a given GCP SAK and use that for validation.
    36  //
    37  // TODO - b/409723520: Support universes beyond googleapis.com
    38  type Validator struct {
    39  	httpC           *http.Client
    40  	defaultUniverse string
    41  }
    42  
    43  // ValidatorOption configures a Validator when creating it via NewValidator.
    44  type ValidatorOption func(*Validator)
    45  
    46  // WithClient configures the http.Client that the Validator uses.
    47  //
    48  // By default it uses http.DefaultClient.
    49  func WithClient(c *http.Client) ValidatorOption {
    50  	return func(v *Validator) {
    51  		v.httpC = c
    52  	}
    53  }
    54  
    55  // WithDefaultUniverse configures the Validator to use a different default
    56  // universe other than "googleapis.com".
    57  // This is useful for validating keys for a specific, known universe or for
    58  // testing.
    59  //
    60  // Currently, the validator does not use the universe field from the key itself.
    61  func WithDefaultUniverse(universe string) ValidatorOption {
    62  	return func(v *Validator) {
    63  		v.defaultUniverse = universe
    64  	}
    65  }
    66  
    67  // NewValidator creates a new Validator with the given ValidatorOptions.
    68  func NewValidator(opts ...ValidatorOption) *Validator {
    69  	v := &Validator{
    70  		httpC:           http.DefaultClient,
    71  		defaultUniverse: defaultUniverse,
    72  	}
    73  	for _, opt := range opts {
    74  		opt(v)
    75  	}
    76  	return v
    77  }
    78  
    79  // Validate checks whether the given GCPSAK is valid.
    80  //
    81  // It looks up the keys for the SAK's ServiceAccount from the GCP metadata
    82  // server. If a corresponding public key can be found, it is used to validate
    83  // the Signature.
    84  func (v *Validator) Validate(ctx context.Context, sak GCPSAK) (veles.ValidationStatus, error) {
    85  	clientX509CertURL := fmt.Sprintf("https://%s/robot/v1/metadata/x509/%s", v.defaultUniverse, url.PathEscape(sak.ServiceAccount))
    86  	req, err := http.NewRequestWithContext(ctx, http.MethodGet, clientX509CertURL, nil)
    87  	if err != nil {
    88  		return veles.ValidationFailed, fmt.Errorf("unable to create HTTP request: %w", err)
    89  	}
    90  	res, err := v.httpC.Do(req)
    91  	if err != nil {
    92  		return veles.ValidationFailed, fmt.Errorf("unable to GET %q: %w", clientX509CertURL, err)
    93  	}
    94  	defer res.Body.Close()
    95  
    96  	// If it's a 404, we know the corresponding service account does not exist
    97  	// (anymore) or does not have any valid GCP SAK.
    98  	if res.StatusCode == http.StatusNotFound {
    99  		return veles.ValidationInvalid, nil
   100  	}
   101  
   102  	// If it's a 200, we can try to find the key's certificate and validate the
   103  	// signature. Otherwise something must have gone wrong.
   104  	if res.StatusCode != http.StatusOK {
   105  		return veles.ValidationFailed, fmt.Errorf("unable to GET %q, got HTTP status %q", clientX509CertURL, res.Status)
   106  	}
   107  
   108  	certs := map[string]string{}
   109  	if err := json.NewDecoder(res.Body).Decode(&certs); err != nil {
   110  		return veles.ValidationFailed, fmt.Errorf("unable to parse certificates from %q: %w", clientX509CertURL, err)
   111  	}
   112  	cert, ok := certs[sak.PrivateKeyID]
   113  	if !ok {
   114  		return veles.ValidationInvalid, nil
   115  	}
   116  	valid, err := Valid(sak.Signature, cert)
   117  	if err != nil {
   118  		// This should never happen when using the real GCP metadata server.
   119  		return veles.ValidationFailed, fmt.Errorf("unable to validate certificate from %q: %w", clientX509CertURL, err)
   120  	}
   121  	if valid {
   122  		return veles.ValidationValid, nil
   123  	}
   124  	return veles.ValidationInvalid, nil
   125  }